Distributed computing environments, particularly enterprise computing environments, typically comprise an collection of individual subnetworks interconnected both within and externally via hubs, routers, switches and similar devices. These subnetworks generally fall into two categories. Intranetworks, or Local Area Networks (LANs), are computer networks physically defined within a geographically limited area, such as within an office building. Intranetworks typically operate with a bandwidth of 10 Mbps to 100 Mbps or higher.
Internetworks, or Wide Area Networks (WANs), are computer networks physically defined over a geographically distributed area utilizing private and leased lines obtained through digital communications service providers. The Internet is an example of a widely available public internetwork. Due to the increased complexity of communicating over long distances, network traffic exchanged over internetworks is significantly more costly and generally travels much more slowly than network traffic sent over intranetworks. Internetworks typically operate with a bandwidth of 1.544 Mbps (for a T1 carrier) to 44.7 Mbps (for a T3 carrier) or higher.
Commonly, both intranetworks and internetworks operate in accordance with the Transmission Control Protocol/Internet Protocol (TCP/IP), such as described in W. R. Stevens, “TCP/IP Illustrated, Vol. 1, The Protocols,” Chs. 1-3, Addison Wesley (1994), the disclosure of which is incorporated by reference. TCP/IP is a layered networking protocol, comprising a media layer on the physical side, upwards through link, network, transport and application layers. The link and network layers are point-to-point layers and the transport and application layers are end-to-end layers. Packets travel end-to-end and include both source and destination addresses and ports to identify the location of and logical channels on their originating and receiving hosts, respectively. Intranetworks are often interconnected to internetworks and gateway routers are used to provide transparent translations of device addresses between subdomain address spaces and the internetwork domain address spaces.
A traffic manager can be co-located at the network domain boundary with a gateway router to monitor and analyze transient packet traffic for use in traffic analysis and flow control. Traffic managers optimize bandwidth utilization on internetwork connections, as these connections are costly and relatively slow compared to intranetwork connections. In addition, some traffic managers perform load balancing to ensure even traffic distribution.
Typically, traffic managers implement bandwidth utilization policies that attempt to balance the needs of individual end-user applications competing for a limited share of the bandwidth available over the internetwork connection. Thus, a traffic manager will first examine the contents of network traffic packets to determine the application to which each packet belongs. Based on the policies in force, the traffic manager will either restrict or relax the bandwidth allocated to each application.
A problem arises with a certain class of proscribed or “rogue” applications. These applications resist efforts at detection and actively take evasive actions or some forms of negative response when placed under a bandwidth restriction by a traffic manager. Evasive action is known as morphing, whereby the rogue application dynamically changes the operational characteristics of network packet traffic in response to a perceived restriction on the allocated bandwidth. The evasive actions often consist of a switching of client-server roles or the reassignment of source and destination addresses and ports, also known as address or port “hopping.”
One specific rogue application that has recently become problematic, particularly in academic network settings, is an on-line music exchange service, known as “Napster.” The Napster service deploys particularly aggressive forms of rogue applications which attempt to monopolize a maximum amount of available internetwork bandwidth. Other related, but not quite as aggressive, services include Gnutella, Imesh, and Scour, although other forms of rogue applications exist and still others continue to evolve.
In the prior art, firewalls provide one solution to combating bandwidth monopolization by rogue applications. A typical firewall will apply a packet filter based on network addresses to disallow proscribed packet traffic originating from or destined to identified machines. However, firewalls are inflexible and offer an all-or-nothing solution. The use of packet filters requires a priori knowledge of the network addresses utilized by rogue applications and firewalls are therefore easily overridden by simply dynamically changing the network addresses in use.
Prior art traffic managers also provide limited protection against rogue applications. These devices block network traffic generated by rogue applications based on a broader set of characteristics, including the network ports and traffic direction flow. However, traffic managers are not capable of detecting evasive actions and are therefore easily overridden using the same tactics as for firewalls.
Therefore, there is a need for an approach to identifying and controlling rogue applications in traffic-managed distributed computing environments. Preferably, such an approach would systematically limit bandwidth usage by each rogue application without triggering any evasive actions or other forms of negative response.
There is a further need to provide an approach to identifying and controlling rogue applications through a dynamic feedback mechanism. Preferably, such an approach would detect the bandwidth restriction threshold which will trigger evasive action or other form of negative response and then incrementally relax any network restrictions until a point of acquiescence is achieved.